warzonerat | 691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

Analysis

max time kernel
59s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
15-07-2021 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

413a47af466113b07495cb5bbd3b6439.exe
Size

350KB
MD5

413a47af466113b07495cb5bbd3b6439
SHA1

5c071fc04f4de72f97cdabef4d02f99d4f12a0a8
SHA256

691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b
SHA512

c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Score

10^/10

warzonerat infostealer rat spyware stealer

Malware Config

Extracted

Family

warzonerat

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2964 svchost.exe
2128 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

svchost.exe

pid process

2128 svchost.exe
2128 svchost.exe
2128 svchost.exe
2128 svchost.exe
2128 svchost.exe
2128 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2964	svchost.exe
2128	svchost.exe

pid	process
2128	svchost.exe
2128	svchost.exe
2128	svchost.exe
2128	svchost.exe
2128	svchost.exe
2128	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

413a47af466113b07495cb5bbd3b6439.exesvchost.exe

description	pid	process	target process
PID 3904 set thread context of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 2964 set thread context of 2128	2964	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exe413a47af466113b07495cb5bbd3b6439.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
2704	powershell.exe
2704	powershell.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
3904	413a47af466113b07495cb5bbd3b6439.exe
2704	powershell.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
1096	powershell.exe
1096	powershell.exe
2964	svchost.exe
2964	svchost.exe
1096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeIncreaseQuotaPrivilege	3160	powershell.exe
Token: SeSecurityPrivilege	3160	powershell.exe
Token: SeTakeOwnershipPrivilege	3160	powershell.exe
Token: SeLoadDriverPrivilege	3160	powershell.exe
Token: SeSystemProfilePrivilege	3160	powershell.exe
Token: SeSystemtimePrivilege	3160	powershell.exe
Token: SeProfSingleProcessPrivilege	3160	powershell.exe
Token: SeIncBasePriorityPrivilege	3160	powershell.exe
Token: SeCreatePagefilePrivilege	3160	powershell.exe
Token: SeBackupPrivilege	3160	powershell.exe
Token: SeRestorePrivilege	3160	powershell.exe
Token: SeShutdownPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeSystemEnvironmentPrivilege	3160	powershell.exe
Token: SeRemoteShutdownPrivilege	3160	powershell.exe
Token: SeUndockPrivilege	3160	powershell.exe
Token: SeManageVolumePrivilege	3160	powershell.exe
Token: 33	3160	powershell.exe
Token: 34	3160	powershell.exe
Token: 35	3160	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2128 svchost.exe

pid	process
2128	svchost.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

413a47af466113b07495cb5bbd3b6439.exe413a47af466113b07495cb5bbd3b6439.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3904 wrote to memory of 2716	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 2716	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 2716	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 3160	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 3160	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 3160	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 2704	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 2704	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 2704	3904	413a47af466113b07495cb5bbd3b6439.exe	powershell.exe
PID 3904 wrote to memory of 3612	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 3612	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 3612	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 1200	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 1200	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 1200	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 3904 wrote to memory of 2408	3904	413a47af466113b07495cb5bbd3b6439.exe	413a47af466113b07495cb5bbd3b6439.exe
PID 2408 wrote to memory of 3936	2408	413a47af466113b07495cb5bbd3b6439.exe	cmd.exe
PID 2408 wrote to memory of 3936	2408	413a47af466113b07495cb5bbd3b6439.exe	cmd.exe
PID 2408 wrote to memory of 3936	2408	413a47af466113b07495cb5bbd3b6439.exe	cmd.exe
PID 2408 wrote to memory of 2964	2408	413a47af466113b07495cb5bbd3b6439.exe	svchost.exe
PID 2408 wrote to memory of 2964	2408	413a47af466113b07495cb5bbd3b6439.exe	svchost.exe
PID 2408 wrote to memory of 2964	2408	413a47af466113b07495cb5bbd3b6439.exe	svchost.exe
PID 3936 wrote to memory of 3744	3936	cmd.exe	reg.exe
PID 3936 wrote to memory of 3744	3936	cmd.exe	reg.exe
PID 3936 wrote to memory of 3744	3936	cmd.exe	reg.exe
PID 2964 wrote to memory of 680	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 680	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 680	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 2756	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 2756	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 2756	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 1096	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 1096	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 1096	2964	svchost.exe	powershell.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2128	2964	svchost.exe	svchost.exe
PID 2128 wrote to memory of 3244	2128	svchost.exe	cmd.exe
PID 2128 wrote to memory of 3244	2128	svchost.exe	cmd.exe
PID 2128 wrote to memory of 3244	2128	svchost.exe	cmd.exe
PID 2128 wrote to memory of 3244	2128	svchost.exe	cmd.exe
PID 2128 wrote to memory of 3244	2128	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
"C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
2⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
2⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
C:\Users\Admin\AppData\Local\Temp\413a47af466113b07495cb5bbd3b6439.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:3744

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
413a47af466113b07495cb5bbd3b6439

SHA1
5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

SHA256
691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

SHA512
c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Download Submit
C:\ProgramData\svchost.exe
MD5
413a47af466113b07495cb5bbd3b6439

SHA1
5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

SHA256
691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

SHA512
c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
10df98e414f3f64003b0e613992bea44

SHA1
75780688499ae32372a2fc62640ce49b06c31e1f

SHA256
4973f9020d1793d299261ef6b48081d3d6b9954f0bfca719584d1a50629eb640

SHA512
31bb9e7333d41bcc9766893d447818f0bf39b4bab29c9f57786f38d238c2705ea372d1d6e163637f2d038a4efc8839d2fc59683fdadbda321e12e0d2cea9eecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
340edf732d071d03efafbd44acfc54e8

SHA1
17c4e1815c9565a2766ebb5e4ab3f75689de9d73

SHA256
2c1fda75fcc6c8ca988df9f85a635906220a3f3efd4c3d713758377d230a4280

SHA512
52ba14779b25da7240e93db6f5a353a5012bdeaeeac4fb9ac47a223bcd781a273faeca23c59511968aba2649d2eb4df35bac5d3a70e1549958d862e4df5ffbc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
340edf732d071d03efafbd44acfc54e8

SHA1
17c4e1815c9565a2766ebb5e4ab3f75689de9d73

SHA256
2c1fda75fcc6c8ca988df9f85a635906220a3f3efd4c3d713758377d230a4280

SHA512
52ba14779b25da7240e93db6f5a353a5012bdeaeeac4fb9ac47a223bcd781a273faeca23c59511968aba2649d2eb4df35bac5d3a70e1549958d862e4df5ffbc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f7d131a7f8dd8baaabfd865235f2362d

SHA1
497f89e49d3a3c075ab0ed45ec8b950405fefc36

SHA256
805297eca940248fbe282a4334766e5ce86aeba04116c1681e36e83b06dca4ec

SHA512
717a6e453237313186b9856632705d568911aa19746b1f206d471f00fd6fcb1ce726f325d8ad39583ebfc0ef2fa4625db64fac2dbe975ba84f83eff315061418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
68b6590c8cf361d21cf711eda62b574d

SHA1
2a1351042e28b4789611ed6c4b1c51c79b4155ff

SHA256
ac44ea67d2e6cb150aa97eab46f52554f4fd1d54c3408aba1b7f5bf8659dfc4e

SHA512
21fb82f3eb5818ecc2683e6984345de6cac16c8685f9ccbd22581b8f9dded026a5cb65974a1fa3a5338bc488003cb544187139dbab71bc4fd8311369c04e51c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
413a47af466113b07495cb5bbd3b6439

SHA1
5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

SHA256
691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

SHA512
c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
413a47af466113b07495cb5bbd3b6439

SHA1
5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

SHA256
691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

SHA512
c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll
MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll
MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll
MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/680-409-0x0000000006972000-0x0000000006973000-memory.dmp

Filesize
4KB

Download
memory/680-398-0x0000000000000000-mapping.dmp

Download
memory/680-408-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/680-445-0x0000000006973000-0x0000000006974000-memory.dmp

Filesize
4KB

Download
memory/1096-651-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/1096-608-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/1096-609-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/1096-591-0x0000000000000000-mapping.dmp

Download
memory/2128-668-0x0000000004640000-0x000000000477C000-memory.dmp

Filesize
1.2MB

Download
memory/2128-691-0x0000000004F20000-0x0000000004FA4000-memory.dmp

Filesize
528KB

Download
memory/2128-614-0x0000000000405E28-mapping.dmp

Download
memory/2128-626-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2408-261-0x0000000000405E28-mapping.dmp

Download
memory/2408-260-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2408-265-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2704-329-0x0000000004773000-0x0000000004774000-memory.dmp

Filesize
4KB

Download
memory/2704-239-0x0000000000000000-mapping.dmp

Download
memory/2704-256-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2704-257-0x0000000004772000-0x0000000004773000-memory.dmp

Filesize
4KB

Download
memory/2716-129-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/2716-127-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2716-126-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/2716-125-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2716-128-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/2716-124-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/2716-138-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/2716-130-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2716-123-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2716-131-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/2716-120-0x0000000000000000-mapping.dmp

Download
memory/2716-132-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/2716-133-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/2716-149-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/2716-148-0x000000000A690000-0x000000000A691000-memory.dmp

Filesize
4KB

Download
memory/2716-140-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/2716-139-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/2756-505-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/2756-541-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/2756-504-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2756-495-0x0000000000000000-mapping.dmp

Download
memory/2964-282-0x0000000005800000-0x0000000005CFE000-memory.dmp

Filesize
5.0MB

Download
memory/2964-273-0x0000000000000000-mapping.dmp

Download
memory/3160-215-0x0000000000000000-mapping.dmp

Download
memory/3160-330-0x0000000004C73000-0x0000000004C74000-memory.dmp

Filesize
4KB

Download
memory/3160-226-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3160-227-0x0000000004C72000-0x0000000004C73000-memory.dmp

Filesize
4KB

Download
memory/3244-650-0x0000000000000000-mapping.dmp

Download
memory/3744-280-0x0000000000000000-mapping.dmp

Download
memory/3904-240-0x0000000006EA0000-0x0000000006EEF000-memory.dmp

Filesize
316KB

Download
memory/3904-250-0x0000000008110000-0x0000000008178000-memory.dmp

Filesize
416KB

Download
memory/3904-255-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/3904-114-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/3904-118-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3936-272-0x0000000000000000-mapping.dmp

Download